SharePoint must allow authorized users to associate security attributes with information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27974	SHPT-00-000040	SV-36067r3_rule	ECAD-1	Medium

Description
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.

Description

Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.

STIG	Date
SharePoint 2010 Security Technical Implementation Guide (STIG)	2015-10-02

Details

Check Text ( C-36974r3_chk )
To verify users are prompted automatically when entering new documents into SharePoint: 1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library. 2. Verify the user is prompted to enter metadata and content type information. 3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)

Check Text ( C-36974r3_chk )

To verify users are prompted automatically when entering new documents into SharePoint:

1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library.
2. Verify the user is prompted to enter metadata and content type information.
3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)

Fix Text (F-32238r5_fix)
Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, point to Site Settings. 2. Click Site Settings. 3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies. 4. On the Site Collection Policies page, click Create. 5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users. 6. Configure the desired features to associate with the policy. 7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features. 8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.

Fix Text (F-32238r5_fix)

Create an information management policy and apply to lists, libraries, and list content.
1. On the site collection home page, click Site Actions, point to Site Settings.
2. Click Site Settings.
3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies.
4. On the Site Collection Policies page, click Create.
5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users.
6. Configure the desired features to associate with the policy.
7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features.
8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.